About Us

Followers

Raties At Work

Diors At Work

Wednesday, August 29, 2007

An eavesdropping vulnerability was revealed on the popularFull Disclosure mailing list on Wednesday. Vulnerabilityresearchers Humberto Abdelnur, Radu State and Olivier Festorclaimed the exploit could allow a remote attacker to turn aVoIP phone into an eavesdropping device, citing a GrandstreamSIP phone as an example.

While playing with the SIP Madynes stateful fuzzerfor a description see http://hal.inria.fr/inria-00166947/en),we have realized that some SIP stack engines have seriousbugs allowing to an attacker to automatically make a remotephone accept the call without ringing and without asking theuser to take the phone from the hook, such that the attackermight be able to listen to all conversations that take placein the remote room without being noticed.One example that wecan disclose (vendor was notified on 10 th May 2007) is thefollowing: Grandstream SIP Phone GXV-3000

Impact :A malicious user can remotely eavesdrop (a remote location)and perform DOS on a remote phone.ResolutionFixed software will be available from the vendor and customersfollowing recommended best practices (ie segregating VOIPtraffic from data) will be protected from malicious trafficin most situations.

The vulnerability is based in a sequence of two messages,where both messages are syntactically right, but togetherthey turn the device in an inconsistent state, where theRTP is now send to the attacker/

ougui at 152.81.48.94:5060 is the attacker1005 at 152.81.48.88:5060 the attacked phone